While the first article on this topic dealt with issues important to subjects seeking access to data, this article relates to controllers, i.e. those who decide how and why data is processed.
A Data Controller must ensure that the individuals whose data they are processing (or someone on the individual’s behalf) are facilitated to lodge access requests. A Data Controller must provide a response to an access request in a certain manner and within certain time limits.
A Data Controller’s failure to adhere to obligations under Data Protection law, including those related to the right of access, may result in the Data Subject lodging a complaint to the DPC (Data Protection Commission) which could lead to a fine and/or further corrective measures being imposed on the Data Controller.
A Data Controller must ensure that their organisation has a dedicated way for a Data Subject to make a request and for a Data Controller to record such a request. Data Controllers may wish to use standard or online forms for the lodgement of access requests. This can help streamline a Data Subject’s access request and can ensure consistency and timely responses to a request within a Data Controller’s organisation. For example, Data Controllers could establish a dedicated email address to be used by Data Subjects in order to lodge access requests and display that email address in an easily accessible part of its website.
Though Data Subjects can always validly lodge an access request by contacting the organisation through any method of communication be it by phone, post, informal chat or in person. The GDPR does not require any particular form to be used to make a valid access request.
How a request is lodged is entirely up to the Data Subject, with no particular or formal method prescribed by data protection law. Therefore, a Data Subject may decide to authorise someone else, such as a solicitor, an individual, not-for-profit body, organisation or specific association to lodge a request on their behalf. There is no need for the authorisation to bear particular formalities. The third party lodging the request must nonetheless be able to provide evidence that such authorisation came from the Data Subject.
A Data Subject is entitled to request access to any or all of their personal data. A Data Controller who processes a large quantity of information concerning the Data Subject can request that the Data Subject specify the information they want to be provided or the specific processing activities which they want access to and, in addition to this, may be entitled to extend the time to answer the access request.
The maximum time limit to provide information on the action taken on an access request is one calendar month from receipt of the access request by identified or identifiable Data Subjects, regardless of the fact that such receipt is not on a working day. Exceeding the maximum time limit would automatically constitute a breach of the Data Controller’s obligations.
The processes and guidelines for Data Controllers are thorough and specific. It is in the best interest of any Data Controller to be aware of their rights and responsibilities.
The following guidance should answer some of the most frequently asked questions for Controllers who are struggling to deal with the access requests they are receiving, Subject Access Requests: A Data Controller’s Guide.
NB – This is a guide for information purposes only and does not constitute legal advice. If you have an issue requiring legal advice, please contact any of the team at Nolan Farrell & Goff LLP, whose numbers can be found on our website www.nfg.ie, or email info@nfg.ie.